iam trying to extarct the room name fromt eh string below but the automatioc filed extraction does not fined enough examples due to numerous other messages in logs.
"chat://room/domain/roomname"
I created a filed extraction to extract the domain, called domain but am not able to get splunk to extract the room name.
need to extract all characters between the last / and the ".
appreciate your help
Here is a very simple regex , to get you started, that will extract the roomname value out to the field "roomname_field"
"chat://\w+/\w+/(?<roomname_field>\w+)"
Without seeing a sample of many possible values I dont know what characters could be in the room, domain and roomname path parts. \w just captures [a-zA-Z_0-9] . Adjust as necessary.